tor, 2003-01-23 kl. 15:30 skrev Brian K. Jones:
Many <snip>s:
> I have OpenLDAP 2.1.12 built from source on a Redhat 7.3 box. I also
> installed pam_ldap and nss_ldap from source.
> What I'd like to do now is test by pointing ONLY ssh at the ldap server,
> so that if things don't work I can get in by some other means - and the
> console if necessary.
> I've edited my /etc/pam.d/sshd (it's gone through several iterations)
> file so it looks like this (right now):
Does it work?
> And my /etc/ldap.conf file just has the 'host' and 'base' designations
> in it. Here's the log output from the last test I performed - I've put
> line breaks between the log entries for easier reading:
> Jan 22 15:33:47 current slapd[4074]: conn=29 op=0 BIND dn="" method=128
This is an anonymous bind. Is that what you want to find things with?
Difficult to know without knowing what your ACLs look like.
> Jan 22 15:34:04 current slapd[4074]: conn=29 op=4 SEARCH RESULT tag=101
> err=0 nentries=0 text=
It hasn't found anything, but there's no error.
> Here's the entry for the user I'm trying to log in as. Curiously,
> there's no 'shadowAccount' objectClass. Is this necessary? I also
> notice it's looking for 'posixAccount' first, which is here.
> dn: uid=jonesy,ou=People,dc=my,dc=domain,dc=com
> uid: jonesy
> cn: Brian K. Jones
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> loginShell: /bin/bash
> uidNumber: 3025
> gidNumber: 22
> homeDirectory: /home/jonesy
> gecos: My gecos field
> userPassword:: e1NNRDV....
dn: uid=jonesy,ou=People,dc=my,dc=domain,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
sn: Jones
cn: Brian K. Jones
uid: jonesy
mail: jonesy@CS.Princeton.EDU
uidNumber: 508 <-- Up to your choice for your system
gidNumber: 1001 <-- Have to make a group, first, with you in it
userPassword:: e1NNRDV....
homeDirectory: /home/jonesy
loginShell: /bin/ksh
gecos: Brian K. Jones
You can have shadowAccount if you want, but that's mostly accounting to
do with the validity of the account - it's not necessary for the
password.
Get GQ, compile it for Red Hat - jump from www.biot.com :-)
Best,
Tony
--
Tony Earnshaw
When all's said and done ...
there's nothing left to say or do.
e-post: tonni@billy.demon.nl
www: http://www.billy.demon.nl